Hi All, Im Fahim, working on deploying a Virtual Honeynet in my University. After doing thorough literature reviews and studying various design strategies implemented else where I decided to carry on a small implementation ( a mock implementation of honeywall honeynet) on my laptop
Moving towards the implementation phase I was trying to setup a honeynet on my laptop with Vmware. Its up and running following the PK Vmware Honeynet How To ( http://www.honeynet.pk/honeywall/roo/page2b.htm ) . However, the honeywall doesnt seem to be logging anything :S life sux! Im on linux FC8. vmware up and running. other details are: I am able to ping nodes from honeypot to gw & access the walleye interface via https fine. But Unfortunately honeywall doesnt seem to log any activity - suggesting the bridge is being bypassed. More details are povided in the conf below. The pk honeynet howto seems a bit confusing as I believe that since the honeypot is on vmnet1 segment its not being routed through the bridge and thus snort and tcpdump on both eth0 and eth1 interface of the honeywall cant see any traffic except arp broadcasts. On eth2 i see packets arriving and being logged as its the default GW for the honeypot. Allowing outbound traffic from the honeywall i am able to ping both the honeypot and host-eth0 from the honeywall. tcpdump on eth2 shows the packets are being recieved from the honeypot, but they aint getting forwarded to the host subnet . please advise. Another observation is that using vmnet1 ip as GW for the honeypot (vm2-winxp) instead of eth2 of the honeywall Im able to ping Host Eth0 (192.168.1.1) but then again the honeywall's eth0 and eth1 port see no traffic with tcpdump: please advise: Design is as follows: -HOST- ETH0 (192.168.1.1) | | | | | VM1-Honeywall-GW-(ETH0) BR (vmnet0)----VM1-Honeywall-GW-VM1(ETH1) BR (vmnet0) VM1- Honeywall-GW -VMNET1 (172.16.72.200) -eth2 | | | | VMNET1 (172.16.72.1) - sw | | VM2 - WINXP-(ETH0)(vmnet1) IP 172.16.72.10 GW 172.16.72.200 Having some network experience, I some how cannot agree to the design laid by the PK project ppl: http://www.honeynet.pk/honeywall/roo/page2b.htm 1. They have showed eth0 and eth1 of honeywall as bridged & eth2 host-host in vmware conf, knowing that first two interfaces (eth0 and1) will again be bridged further by Honewall setup by default! 2. If its bridging between 2 different LAN segments, which seems the correct way to go from bridge perspective (vmnet0 and 1) then does that mean we have to assign a public IP to vmnet1 virtual sw? i.e we would require 3 pub IPS host-eth0(pubip)--->GW-ETH0-(BRIDGED)-HONEYWALL-ETH1(VMNET1-HOST ONLY)------>vmnet1(pubip)---->VM-honeypot-eth0-(pubip) Also checking status info, it seems that honeywall doesnt like this either: "Invalid NIC: eth0 is not a valid network interface. specify another device or check the status menu for a list of valid devices" - honeywall conf mode and IP info menu "Invalid NIC: eth1 is not a valid network interface. specify another device or check the status menu for a list of valid devices" - honeywall conf mode and IP info menu ##### V M W A R E ###################### At least one instance of VMware Server is still running. Bridged networking on /dev/vmnet0 is running Host-only networking on /dev/vmnet1 is running Host-only networking on /dev/vmnet8 is running NAT networking on /dev/vmnet8 is running Module vmmon loaded Module vmnet loaded #### VM1 - NETWORK ######################## ETH0 ON /DEV/VMNET0 ETH1 ON /DEV/VMNET0 ETH2 ON /DEV/VMNET1 ( IM USING THIS AS MGMNT IP IS 172.16.72.200 GW IS 72.1 ---> WORKING FINE, INTERFACE ACCESSIBLE AND ALL ) #### HONEYPOT NETWORK ###################### WINXP-SP2 HONEYPOT ETH0: 172.16.72.10 GW: .72.200 --------------- IFCONFIG ON HOST----------------- ------------------------------------------------- eth0 Link encap:Ethernet HWaddr 00:19:D1:1E:C9:F6 inet addr:192.168.1.1 Bcast:172.16.72.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:3567167 errors:0 dropped:0 overruns:0 frame:0 TX packets:12349627 errors:0 dropped:0 overruns:0 carrier:0 collisions:1 txqueuelen:1000 RX bytes:357326919 (340.7 MiB) TX bytes:1275014016 (1.1 GiB) Interrupt:18 Base address:0xe800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:7836 errors:0 dropped:0 overruns:0 frame:0 TX packets:7836 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3135329 (2.9 MiB) TX bytes:3135329 (2.9 MiB) vmnet1 Link encap:Ethernet HWaddr 00:50:56:C0:00:01 inet addr:172.16.72.1 Bcast:172.16.72.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:fec0:1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:273 errors:0 dropped:0 overruns:0 frame:0 TX packets:112 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Please advise. Thanks, Fahim _______________________________________________ Honeywall mailing list [email protected] https://public.honeynet.org/mailman/listinfo/honeywall
